Friday, January 29, 2010

"Computer Tampering" as Exceeding Authorized Access

As I’ve noted in earlier posts, federal and state statutes criminalize two kinds of unlawful “access” to a computer:

the “outsider” crime (unauthorized access, i.e., the person is not authorized to have any access to the computer or computer system); and

the “insider” crime (exceeding authorized access, i.e., the person is authorized to access the system for certain purposes or to a certain extent but went beyond what he or she was authorized to do).

As I’ve also noted, federal courts currently disagree as to whether the federal “exceeding authorized access” offense defined by 18 U.S. Code § 1030(a) targets (i) an employee’s going beyond the scope of his/her authorized access to the computer system or (ii) an employee’s using his/her access to the employer’s computer system to obtain data or otherwise engage in activity detrimental to the employer’s interests.

As I explained in an earlier post, how you resolve that issue basically depends on whether you construe the § 1030(a) crimes as “burglary” crimes (one gains unlawful entry into a place to commit a crime therein) or as “trespass” crimes (one gains unlawful entry into a place).

This post is about a recent case from Arizona – State v. Young, 2010 WL 129693 (Arizona Court of Appeals 2010 – which involved a conviction for Arizona’s exceeding authorized access crime.The Arizona Court of Appeals’ decision parses an Arizona statute that has a slightly different take on the crime.This is how the case arose:

[Clifton] Young was employed by the Arizona Department of Transportation (`ADOT’) as a member of the server management team. The seven-person team administered ADOT's computer server infrastructure. . . . Young had elevated domain administrator privileges, which provided him access to all computer servers on the ADOT computer network. Among the computer servers on the ADOT network was a server that hosted the personnel files for ADOT employees.

[ADOT’s] Chief Information Officer decided EPAS scores in the IT department [were] inflated . . . and directed . . . managers to recalibrate the scoring of their subordinates to establish a more realistic baseline. The supervisor of the server management team complied. . . .Young's EPAS score, which had been no lower than 4, dropped to 3.3.

The recalibration became a subject of discussion among the server management team. The members of the team . . . were concerned that downgraded EPAS scores might be the first step toward outsourcing their jobs. The supervisor met with team members and explained that the scores were lowered as part of a general realignment of scores in the IT department and that they were not being individually penalized.

Young subsequently showed another member of the team an Excel spreadsheet displayed on a computer in his cubicle that included the names and EPAS scores for the entire IT department. . . . [It] indicated the server management team was the only group . . . to have its EPAS scores reduced. Young contacted the team supervisor and informed him of the spreadsheet. When the supervisor asked for a hard copy of the spreadsheet, Young left and returned with a printout. The supervisor [told] Young he would take the spreadsheet to his superior and ask if he could rescore the team given the failure of other supervisors to comply with the recalibration directive.

After the supervisor spoke to his superior . . . ADOT began an investigation [into] the source of the unauthorized disclosure of the EPAS scores. . . . [A] forensic examination was performed on the computers of the server management team. The examination revealed that the EPAS spreadsheet, which was stored on the server in question, had been accessed from one of Young's work computers by a person using his user ID and password. . . . [It] also revealed that [his] computer had been used to access other Human Resource documents on the server during the same time frame. . . . Young had no business need to access the spreadsheet or other Human Resource documents.

State v. Young, supra.

Young was “terminated from his position at ADOT” and “charged with one count of computer tampering” in violation of Arizona Revised Statutes § 13-2316(A)(7). State v. Young, supra.Section 13-2316(A)(7) provides as follows:

A person who acts without authority or who exceeds authorization of use commits computer tampering by . . . [k]nowingly obtaining any information that is required by law to be kept confidential or any records that are not public records by accessing any computer, computer system or network that is operated by this state, a political subdivision of this state or a medical institution.

Young went to trial on the charge, was convicted and was put “on probation for eighteen months.” State v. Young, supra.He appealed his conviction to the Arizona Court of Appeals, arguing “that the evidence presented at trial was insufficient to support his conviction.” State v. Young, supra.More precisely, he claimed it didn’t establish certain elements of the crime:

The elements of the species of computer tampering charged in this case are: (1) without authority or in excess of authority; (2) knowingly obtaining; (3) information required by law to be kept confidential or records that are not public records; (4) by accessing any computer, computer system or network operated by the State. . . . Young contends that the evidence was insufficient to permit the jury to find the existence of the first and third elements of this offense beyond a reasonable doubt.

State v. Young, supra.On the first issue, Young noted that “the indictment described the offense as having been committed `without lawful or administrative authority’ and the jury instructions defined it in the same manner. State v. Young, supra.He argued that “because he had `elevated domain administrator’ privileges that gave him the ability to access the server, no reasonable person could conclude that he acted without authority when he accessed the Human Resource documents” on the server. State v. Young, supra.

Young cited federal cases construing 18 U.S. Code § 1030(a) as supporting his argument. State v. Young, supra.But the Court of Appeals didn’t buy his argument:

These federal cases are inapposite because the federal statute they apply defines the offense simply in terms of `intentionally access[ing] a computer without authorization or exceed[ing] authorized access.’ 18 U.S. Code § 1030(a). In contrast, the essence of the offense with which Young was charged is the obtaining of specific information or records, not the act of accessing the computer.. . . [T]he issue of authority for purposes of § 13-2316(A)(7) turns on whether a person has authority to obtain the information or records that are the object of the offense-not on whether the person has authority to access the computer. We therefore reject Young's argument that the indictment and jury instructions constrained the State to prove facts not supported by the evidence.

State v. Young, supra.

The Court of Appeals then turned to Young’s second argument, which focused on the third element of the crime, i.e., the requirement that the improper access have been used to obtain either (i) information required by law to be kept confidential or (ii) records that are not public records. State v. Young, supra.The State conceded that the EPAS score spreadsheet did not fall in “this category because there is no statute requiring that such information be kept confidential”, but claimed the jury could legitimately have found that “Young obtained information within this category based on the evidence that [his] computer was used to access other Human Resource documents.” State v. Young, supra.The Court of Appeals found that the problem with this argument was that no

substantial evidence was presented at trial regarding the contents of these documents. None of the documents were admitted in evidence and testimony regarding them was limited to general descriptions. While there was testimony that there were files on the server that included social security numbers as well as personal medical information and other matters subject to state and federal confidentiality laws, that testimony was never tied to the specific files Young accessed. Absent evidence that the documents Young obtained actually contained information protected by state or federal law, any finding that Young obtained such information would be pure speculation.

State v. Young, supra.

The court also found that “the evidence is insufficient to support a finding that Young obtained `any records that are not public records’ from the server.” State v. Young, supra.It noted, first, that an Arizona statute states that “[p]ublic records . . . shall be open to inspection by any person at all times during office hours.” State v. Young, supra (citing Arizona Revised Statutes § 39-121).It also noted that Arizona case law defines a “public record” as one “`made by a public officer in pursuance of a duty’” or “`any written record of transactions of a public officer in his office’” State v. Young, supra (quoting Carlson v. Pima County, 141 Ariz. 487, 687 P.2d 1242 (Arizona Supreme Court 1984)).

The Court of Appeals then held that based on the

limited descriptions provided at trial of the Human Resource documents accessed by Young, all appear to fall within the definition of public records. The State does not dispute that the documents are public records, but asserts that the phrase `any records that are not public records’ should be construed to mean public records exempt from disclosure despite the presumption of access under the public records law. . . According to the State, in light of the testimony that the Human Resource documents were `confidential’ and `sensitive,’ the jury could find that the State had proven an exception to disclosure under the public records law.

The flaw in the State's argument is that it is contrary to the plain language of the statute. The phrase in issue clearly states `records that are not public records ‘ -- i.e., private records. The State's interpretation would require that `not public records’ be read to mean the exact opposite of the words used by the Legislature. When a statute's language is plain and unambiguous, we must apply the text as written.

State v. Young, supra.The Court of Appeals held that while Young “did not have authority to obtain the EPAS score spreadsheet on the server”, the prosecution did not prove that he “obtained information or records from the ADOT server within either of the two categories that are the subject of” Arizona Revised Statutes § 13-2316(A)(7). State v. Young, supra. It therefore reversed his conviction and ordered “the charge dismissed.” State v. Young, supra.

(The Court of Appeals noted that the State could instead have charged Young with computer tampering under Arizona Revised Statutes § 13-2316(A)(8), which defines the crime as (i) “exceed[ing] authorization of use” and (ii) “knowingly accessing” a computer or computer network or data “contained in a computer, computer system or network.”That would have eliminated the need to prove that Young accessed information required by law to be kept confidential or records that are not public records.”)

5 comments:

"[T]he issue of authority for purposes of § 13-2316(A)(7) turns on whether a person has authority to obtain the information or records that are the object of the offense-not on whether the person has authority to access the computer. We therefore reject Young's argument that the indictment and jury instructions constrained the State to prove facts not supported by the evidence."

This is nonsense. People who manage computers are given broad access precisely to avoid the necessity of authorizing their individual operations. Unless they are doing something clearly averse to their employer's interest, this kind of analysis requires people with administrator access to engage in mind reading and face criminal penalties should they fail.

Suppose I'm the administrator on a computer and I notice that the disk is nearly full. I run some commands to see why the disk is full and I notice that it's a directory called 'personal' on space allocated to an employee. Am I authorized to look in it? I have specifically been given the ability to do so. And I've been given this ability specifically so that I *don't* have to ask before I do thing.

There is much more to this story. Young had just reported the ADOT C.I.O, Joe Throckmorton to ADOT’s Human Resources for engaging in sexual activities with a subordinate. Young reported that the subordinate was subsequently given a large salary increase and additional responsibilities. He also reported that Throckmorton was frequently traveling at the tax payer’s expense in order to carry on his affair on State time State dime. Young also stated that ADOT Human Resources pretended to investigate his complaint regarding Throckmorton. Thockmorton denied the affair however he and his subordinate subsequently got married and had just returned from their honeymoon when Throckmorton terminated Young. It was also Throckmorton who had the spreadsheet (floppy) created that was later found by Young on his desk. Co-incidence… probably not.

ADOT's Jeff Himmelstein lied to the grand jury in order to obtain an indictment against Young. ADOT also arrested Young without an arrest warrant and claimed they had a search warrant which they did not have. It was later found ADOT did not have any statutory authority to conduct an arrest or search. Young filed a law suit against ADOT management in January, 2011. To "Anonymous" the testimony in this case indicated that Young gave the floppy to his supervisor.